User Eric McCorkle discusses some security aspects of FreeBSD, notably signatures (executables, library, kernel) in his latest blog. This article is broken down in sections such as signed elf binaries, portable verification library, key management, etc. Read the whole thing at the link below.

About a month ago, I started a discussion on freebsd-hackers and freebsd-security about a system for signed executables, with a focus on signed kernels and kernel modules.  This is part of a larger agenda of mine to equip FreeBSD with OS-level tamper resistance features.

While the initial use of this is for signing the kernel and its modules, and checking signatures during the loader process as well as at runtime when kernel modules are loaded.  However, it is desirable to build a system that is capable of growing in likely directions, such as executable and library signing.

This article details the current state of the design of this system.

Desiderata

I originally outlined a number of goals for this system:

  1. Be able to check for a correct cryptographic signature for any kernel or modules loaded at boot time for some platforms (EFI at a minimum)

  2. Be able to check for a correct cryptographic signature for any kernel module loaded during normal operations (whether or not to do this could be controlled by a sysctl, securelevel, or some similar mechanism) ….

Original post: https://ericmccorkleblog.wordpress.com/2017/05/19/design-of-a-trust-system-for-freebsd/